Datazag

Enrich security logs with domain intelligence - instantly

Stop manual WHOIS lookups and DNS investigations. Enrich SMTP, proxy, DNS, firewall, EDR, and authentication logs with comprehensive domain intelligence. 315M pre-enriched domains with infrastructure attribution, mail server tracking, and relationship mapping - queryable in seconds.

The only domain intelligence with CNAME/PTR chain following, MX record resolution to IPs, and infrastructure attribution - available as cloud data share in Snowflake, Databricks, and AWS Data Exchange.
Get Free API Key
Explainable risk factorsDesigned to reduce noiseAPI, feeds & webhooks

The Manual Enrichment Problem

Your security team waste hours on checking every DNS record for a domain and then interpreting the information.

The Manual Enrichment Problem

Datazag's domain intelligence can automate enrichment in one SQL join across all your logs and for all records. Saving hours and hours of Analyst time

The Solution: Use Datazag's Domain Intelligence. Instantly.

Live Cloud Data Shares

Benefits

  • Zero-ETL and get the data instantly. No API throttling, no download scripts, no maintenance overhead. It just appears in your SQL editor as a table.
  • Query without fear. This is a flat-rate license. You have raw access to the full 315M+ row dataset. Run analytical queries, train ML models, or hunt for threats across the entire internet as often as you want. There is no meter running.
  • The complete map. Our shares include the "Shadow Domains" discovered via CertStream and the "Infrastructure Graph" (PTR/CNAME) found via our Adaptive DNS Scanning Grid. You aren't just ingesting a list of names; you are ingesting a map of attacker infrastructure that legacy feeds miss completely.
  • Better economics. We provide the storage. Vendors who offer SaaS portals charge a huge markup because they have to pay cloud provider for the compute to run your queries. With Cloud Shares you use your existing corporate cloud credits to query the data. This is 50-70% cheaper than buying a "SaaS License" where the vendor marks up the compute cost.
  • Fresh Data. Other systems provide "Daily Snapshots" that are 24-48 hours old by the time they are ingested. Our grid re-scans the priority internet every hour and the full internet every ~40 hours. The result is Your SIEM / Threat Hunting team is looking at today's internet, not yesterday's snapshot.

Supported Platforms ( Available Q1 2026)

  • AWS Data Exchange
  • Azure Data Share
  • Google Cloud Analytics Hub
  • Snowflake Marketplace
  • Databricks Marketplace
sql
-- Example: Enrich DNS logs
SELECT logs.*, dz.risk_score, dz.classification
FROM dns_logs logs
LEFT JOIN datazag.domain_intelligence dz ON logs.domain = dz.domain
WHERE dz.risk_score > 80;

Real-Time API Access

Benefits

  • Zero Dead Ends: Don't settle for "404 Not Found." If a domain isn't in our DB, we trigger an instant Live Sonar Scan to resolve, trace, and risk-score it in <2 seconds.
  • Forensic Verification: Validate takedowns instantly. We return precise DNS diagnostics (NXDOMAIN, SERVFAIL) so you can distinguish between a deleted threat and a blocking firewall.
  • Trust, But Verify: Force a Live Refresh on any record to bypass our cache and see the DNS and risk scores as they are now.
  • Subdomain Discovery: Catch the threats others miss. Our API sees "Shadow Domains" (paypal.secure.com) via real-time CertStream integration.
  • Sub-Second Latency: Millisecond response times on cached lookups. Couple of seconds on a live refresh.

Use Cases

  • User verification at sign-up
  • Real-time phishing detection
  • Email validation and cleaning
  • Fraud scoring engines
  • SIEM enrichment pipelines
python
import requests

API_KEY = "your_api_key"
BASE_URL = "https://api.datazag.com"

def enrich_domain(domain):
    url = f"{BASE_URL}/data/{domain}"
    headers = {"X-API-Key": API_KEY}
    
    response = requests.get(url, headers=headers)
    data = response.json()
    
    return {
        "domain": data["domain"],
        "age_days": data["age_days"],
        "is_phishing": data["phishing_detected"],
        "risk_score": data["risk_score"],
        "mailbox_provider": data["mx_classification"]
    }

# Example: Check a suspicious domain
result = enrich_domain("suspicious-example.com")
print(f"Risk Score: {result['risk_score']}/100")
Integration Diagram

Intelligence, not just data

Other services dump raw data and make you figure out what it means.

Datazag processes billions of signals—newly registered domains, DNS changes, SSL certificates, phishing feeds—and delivers clear, actionable intelligence tailored to your use case.

Our Approach:

Contextual:Every data point includes temporal context and historical patterns
Actionable:Pre-calculated risk scores and classifications, not just raw attributes
Accurate:Sub-1% false positive rates on phishing detection through multi-signal analysis
Current:Real-time updates mean you're working with the freshest intelligence available
Intelligence, not just data

Complete Domain Coverage, Updated in Real-Time

315M+
Domains Monitored

Description: Comprehensive coverage across all major TLDs with historical data and daily updates

<60 sec
Detection Speed

Real-time ingestion from Certificate Transparency logs and DNS changes

50+
Attributes Per Domain

Whois Registration data, DNS records, SSL certificates, phishing tags, mailbox intelligence, and more

24/7
Live Monitoring

40-server infrastructure continuously collecting and processing domain intelligence

Every domain. Every detail.

We don't just collect domain names—we build a complete intelligence profile for every domain we track.

Registration Intelligence

  • Domain age and creation date
  • Registrar information
  • Renewal patterns
  • Real-time monitoring with historical context
  • Sub-domain updates

DNS & Infrastructure

  • DNS - All records
  • Nameserver changes
  • TLD country
  • Hosting provider
  • ASN country

Email & Deliverability

  • Mailbox provider classification
  • SPF, DMARC & BIMI record validation
  • MX record validation
  • Disposable/parked detection
  • Email hygiene scoring

Infrastructure Chain Following

  • CNAME chains followed to source
  • PTR records followed to source
  • MX records resolved to mail server IPs
  • Master domain identification

Registrar & Network Intelligence:

  • ASN-based registrar inference
  • SOA record analysis
  • Hosting provider classification

Domain Relationship Mapping:

  • Campaign clustering through shared infrastructure
  • Related domain discovery
  • Infrastructure reuse detection

Security Signals

  • Phishing detection flags
  • Malware associations
  • Certificate Transparency monitoring
  • SSL/TLS certificate data
  • Brand impersonation indicators

Classification & Scoring

  • Domain purpose detection
  • Risk scoring algorithms
  • Mailbox provider categorization
  • Trust indicators
  • Anomaly detection

Temporal Data

  • First-seen timestamps
  • Last-updated timestamp
  • Change detection
  • Infrastructure modification tracking
  • Domain lifecycle monitoring

See What Enrichment Looks Like

Raw DNS log entry: 2025-01-14 | 10.0.1.45 | secure-payment-update.xyz | 203.0.113.50

sql
SELECT logs.*, 
       dz.risk_score,              -- 94 (CRITICAL)
       dz.classification,          -- "phishing_suspected"
       dz.domain_age_days,         -- 1 (registered yesterday)
       dz.hosting_provider,        -- "BulletProof Hosting Ltd"
       dz.cname_chain,             -- Reveals actual server: malicious-host.darknet.ru
       dz.related_domain_count,    -- 15 (same campaign)
       dz.campaign_id              -- "camp_2025_01_financial_phish"
FROM dns_logs logs
LEFT JOIN datazag.domain_intelligence dz ON logs.domain = dz.domain
WHERE dz.risk_score > 80;

Result:

Block entire 15-domain campaign in seconds, not hours.

Manual investigation: 15 minutes

With enrichment: 10 seconds

Logs You Can Enrich

DNS Query Logs

  • CNAME/PTR chain visibility
  • Risk scores for every query
  • C2 and malware detection

SMTP/Email Logs

  • Phishing detection
  • Mail server hosting analysis
  • Infrastructure mismatch detection
  • Sender validation

Proxy/Web Logs

  • CNAME chain following
  • Hosting provider analysis
  • URL risk scoring

Firewall/NGFW Logs

  • Destination risk assessment
  • ASN and registrar intelligence

EDR/Endpoint Logs

  • C2 domain detection
  • Infrastructure chain visibility

IAM/Authentication Logs

  • Email domain validation
  • Domain legitimacy scoring

Built from the Ground Up

Our intelligence comes from continuous monitoring of the internet's core infrastructure—not just static databases.

Mail Provider Analysis

Active probing of MX records and mail server configurations to classify email infrastructure

DNS Infrastructure

Continuous polling of authoritative nameservers and passive DNS collection across millions of domains

Certificate Transparency Logs

Real-time monitoring of SSL certificate issuance to catch newly registered domains within seconds of activation

Threat Intelligence Feeds

Integration with phishing databases, malware feeds, and security community sources for reputation data

WHOIS data

Direct feeds from registry operators and zone file access for authoritative registration data

Lookup Tables

Curated lookup tables to identify the providers and attributes for DNS records to Provider

  • MX -> Mailbox Provider
  • Hosting Providers
  • TLD & IP Country
  • ASN names &location

Power critical security workflows

From phishing detection to lead verification, our domain intelligence adapts to your needs.

Phishing Detection

Challenge

Detect malicious domains before they reach users

Solution

Real-time domain registration monitoring with <60 second detection on suspicious patterns

"Domain registered 3 hours ago + typo squatting detected → instant block"

Fraud Protection

Challenge

Filter fake accounts and junk sign-ups

Solution

Score domains at ingestion based on age, reputation, and infrastructure patterns

"Remove 90%+ of fraudulent registrations before they enter your funnel"

Email Deliverability

Challenge

Clean email lists and improve inbox placement

Solution

Identify disposable, parked, or misconfigured domains in your database

"Boost deliverability rates by 20-30% and reduce bounce rates"

Log Analytics & SIEM

Challenge

Enrich security logs with domain context

Solution

Bulk enrichment of domains from firewall logs, DNS queries, SMTP logs and web traffic

"New domain + high entropy + no mail records → escalate to analyst"

KYC & Compliance

Challenge

Verify business legitimacy at onboarding

Solution

Cross-reference domain age, SSL certificates, and email infrastructure

"Flag suspicious businesses (1-day-old domain + free email provider)"

Brand Protection

Challenge

Monitor for domain impersonation

Solution

Real-time alerts on similar domains registered to your brand

"Catch typo squatting domains within minutes of registration"

Try It yourself

Try It Yourself

* This is a demonstration of our real-time API. Full results available in our portal.

Flexible access for every team

Phishing Detection

Free forever

1,000 API calls/month

  • Phishing & Brand impostors flagged within 60 seconds off SSL issuance
  • Webhook, Email, Slack & MS Teams notifications
  • Customized for your brands
Sign Up Now

API Access

From $79/month

Multiple API endpoints tailored for different use cases

  • Under 200 millisecond response time
  • Webhook notifications
  • Perfect for: KYC, KYB and email validation applications
Purchase Now

Live Cloud Shares

From

Access to over 315M domains

  • Updated every 10 minutes
  • Available as parquet files in Delta & Iceberg data lake formats
  • SLA guarantees
  • Perfect for: Security Operations, Log Analytics, Large-scale Applications

Start building with domain intelligence

Get immediate access to the most comprehensive domain database. No credit card required for free tier.

Create Free AccountView Full Pricing Details
Explainable risk factorsDesigned to reduce noiseAPI, feeds & webhooks

Frequently asked questions

How often is your data updated?

Our infrastructure monitors domains in real-time, with new domain registrations detected within 60 seconds through Certificate Transparency logs. DNS and reputation data is refreshed continuously.

What's the difference between the API and Cloud Data Shares?

The API is perfect for real-time lookups and application integration. Cloud Data Shares give data teams direct SQL access to our complete dataset in their cloud platform—ideal for bulk analysis and joining with your own data.

Do you have historical data?

Yes, we maintain historical records for domains we've tracked, including DNS changes, SSL certificate history, and reputation changes over time.

What makes Datazag different from other domain intelligence providers?

We focus on actionable intelligence rather than raw data dumps. Our multi-signal approach combines real-time monitoring, phishing detection, and contextual scoring to give you answers, not just attributes.

Can I try it before committing?

Absolutely. Our free tier includes 1,000 API calls per month with access to all domain attributes. No credit card required.

What support do you offer?

Free tier includes community support. Paid plans include email support with priority response times. Enterprise customers get dedicated support channels and SLA guarantees.

Automating Enrichment

Your analysts and data teams spend hours on domain investigations: - Copy domain from logs → WHOIS lookup → DNS queries → VirusTotal → Google - 5-15 minutes per domain - Repeated dozens of times per day - Can't scale to analyze thousands of log entries

sql
SELECT 
    logs.timestamp,
    logs.source_ip,
    logs.domain,
    dz.risk_score,
    dz.domain_age_days,
    dz.classification,
    dz.hosting_provider
FROM dns_logs logs
LEFT JOIN datazag.domain_intelligence dz
    ON logs.domain = dz.domain
WHERE dz.risk_score > 70
ORDER BY dz.risk_score DESC;

With Datazag Domain Intelligence

All 315M domains pre-enriched updated hourly, queryable in seconds.